On 2016-12-24, Predrag Punosevac <punoseva...@gmail.com> wrote: > Gregory Edigarov wrote: >> On 20.12.16 13:47, Stuart Henderson wrote: >> > >> > Workaround for this without modifying the syslog daemon: >> > - run normal OpenBSD syslogd in addition to the other daemon >> > - have the other syslog daemon bind to a specific IP address >> > - have OpenBSD syslogd feed the other daemon using a network socket >> > >> Or, do not run anything else then syslogd. Seriously, I can't thought >> off any case where that wouldn't be enough.
Some people want logging in a different format. Some might want host matching based on subnet rather than hostnames. Some want expression matching and alerting (though I think it's better to do this in a separate program rather than adding complication to the main logging daemon). > I could think of one case. Namely based on reading man pages syslogd > doesn't support MySQL logging. I am looking to play with echofish > > https://echothrust.github.io/echofish/ > > which is developed on OpenBSD in-spite of the fact that it is not in the > ports tree and is real time log monitoring system. Based on this short > notes > > https://github.com/echothrust/echofish/blob/master/INSTALL.md I think I'd just use the pipe feature in syslog.conf. Just feed it to a simple perl script to split the input line and write them out a database, then if there's some kind of problem, it's less likely to have an impact on the main syslog writing. (I'd always want simple files in addition to any database-backed logging). > I inferring that syslog-ng which runs really well on OpenBSD is a good > choice for echofish. This is my question > > @Stuart Could you please clarify if syslogd is automatically going to > open/hold port 514 upd. Namely I would like to keep running syslog > daemon on the loggin server itself and send the log files to syslog-ng > per > > https://www.balabit.com/wiki/syslog-ng-faq-syslogd Yes, syslogd(8) does bind like this (for _sending_ log messages to another host): $ fstat|grep syslogd.*internet _syslogd syslogd 34322 4* internet dgram udp *:514 _syslogd syslogd 34322 5* internet6 dgram udp *:514 This prevents another process from binding to *:514. So if you want to do this via syslog-ng rather than my other suggestion, you have a couple of alternatives: bind syslog-ng to a specific IP address (127.0.0.1?) bind syslog-ng to a different port feed syslog-ng via a named pipe, as suggested on that page - syslogd(8) doesn't feed directly to named pipes, but if you pre-create one with mkfifo you can use "*.* |cat > /path/to/fifo" in syslog.conf.
